The present invention relates to a method and apparatus for permitting access to information contained in selected fields of a packet subjected to security processing, particularly by intermediate nodes between source and destination nodes when the packet is transmitted on a packet switched network from the source node to the destination node.
In packet switched networks, packets are transmitted between nodes connected to the network to effect communication between the nodes. Information in the packets may include messages and commands such as a request for service, connection management controls, or data. The packets transmitted on the packet switched network are transmitted according to, for example, the Internet Protocol (IP) which defines how to format various information in the packets for transmitting on the packet switched network. Currently, the IP is defined according to IPv4 where the “v4” indicates version 4 of the Internet Protocol, and IPv6 where the “v6” indicates version 6 of the Internet Protocol.
Security across the packet switched network is afforded by IP Security Protocol (IPsec) as set forth in “Security Architecture for the Internet Protocol”, by S. Kent et al, Request for Comments (RFC) 2401, Networking Group, Internet Engineering Task Force (IETF), November 1998. IPsec is a protocol designed to provide various security services for traffic at the IP layer and upper layer protocols in both the IPv4 and IPv6 environments.
These security services are implemented through the use of two traffic security protocols, namely, Authentication Header (AH) Protocol, and Encapsulating Security Payload (ESP) Protocol and through the use of Cryptographic Key Management Procedures and Protocols. The set of IPsec Protocols employed in any context, and the ways in which they are employed, are determined by the security and system requirements of users, applications and/or sites/organizations.
The AH protocol provides security services of connection list integrity, data origin authentication and anti-replay. The ESP protocol provides security services of confidentiality (encryption), and limited traffic flow confidentiality. The ESP protocol can also provide security services of connection list integrity, data origin authentication and anti-replay. These protocols may be applied alone or in combination with each other to provide a desired set of security services in IPv4 and IPv6. When either of these protocols are used, particularly security processings are performed. Each protocol supports two modes of use: Transport Mode and Tunnel Mode. In the Transport Mode the protocols provide protection primarily for upper layer protocols. In the Tunnel Mode the protocols are applied to tunneled IP packets.
Both AH and ESP make use of Security Associations (SAs). An SA is a simplex “connection” that affords security services to the traffic carried by it. An SA is uniquely identified by a triple including a destination IP address, a Security Protocol (AH or ESP), and a Security Parameter Index (SPI). The endpoints of an SA can, for example, be a pair of hosts, a pair of security gateways or a security gateway and a host. The security gateway can, for example, be a router, a firewall, etc. When either end or both ends of an SA are a security gateways then the tunnel mode is used.
Prior to the use of the above described security protocols, an SA must be established. Thus, for example, prior to use of the ESP protocol between, for example, two hosts, an SA, identified according to the triple described above, must be established between the pair. When the ESP protocol is used, the entire IP packet, with the exception of the IP header, the AH protocol header if present and the ESP header, is encrypted during packet transmission as illustrated by the shaded areas in FIG. 1.
As illustrated in FIG. 1, the IP packet which has been subjected to security processings according to the ESP protocol includes an IP header 102, an ESP header 104, a transport PDU (Payload Data Unit) 106, an ESP trailer 108 and an ESP authenticator 110. The ESP header 104 includes an SPI field 104-1 and a sequence number field 104-2. The transport PDU 106 includes payload data which can be of variable length, and the ESP trailer 108 includes a padding field 108-1, a padding length field 108-2 and a next header identifier field 108-2. The payload data can include, for example, transport level information including Transmission Control Protocol (TCP) Header, User Datagram Protocol (UDP) Header or Internet Control Message Protocol (ICMP) Header and port number. The sequence number contained in the sequence number field 104-2 of the ESP header is a 32-bit monotonically increasing number that is present to prevent replay attacks. Since the payload data 106 and the ESP trailer 108 are encrypted according to the security processing effected by, for example, the ESP protocol the only information visible to any intermediate nodes between the source and destination of the SA (including the first-hop-ingress-egress routers) would be the IP header 102, the ESP header 104 and the ESP authenticator 110.
Although not illustrated, an IP packet subjected to security processings according to the AH protocol in addition to ESP, when used, causes the same problems as when the ESP protocol above is used. Namely, the entire transport payload including the transport headers is encrypted. Therefore, an IP packet subjected to security processings according to the AH and ESP protocol would have a configuration similar to that illustrated in FIG. 1 with the exception that the AH header would be present as well.
The security processing, particularly encryption, of selected information in selected fields especially the transport level information including the transport protocol and the port number, is undesirable for certain intermediate nodes such as, for example, packet classifier/marker nodes providing differentiated services, policing nodes such as firewalls, or management nodes for metering. For example, if the ingress router also serves the function as a packet classifier/marker node providing differentiated services, this router will not be able to access the transport level information, such as transport protocol and port number that may used as indicators for indicating the type of service desired according to the differentiated services framework. For example, a TCP destination port number of 80 may indicate access to a webserver, which could be used to classify and mark the Differentiated Services Code Point (DSCP) in the packet for an appropriate treatment for web related services. This type of classification and marking known as multi-field classification (and marking) and differentiated services (DIFFserv) would not be possible if ESP is used as described above.
Therefore, there is a need to provide selected field accessibility for certain intermediate nodes in the presence of, for example, security processing of an IP packet without compromising the security of the system nor requiring modifications to the existing protocols.